diff options
| author | Damien Miller <djm@mindrot.org> | 2016-11-30 13:51:49 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-11-30 13:51:49 +1100 |
| commit | c9f880c195c65f1dddcbc4ce9d6bfea7747debcc (patch) | |
| tree | cab69c04041fa6ba8affe42d289ce9a9261b64fd /sshd.c | |
| parent | 79e4829ec81dead1b30999e1626eca589319a47f (diff) | |
factor out common PRNG reseed before privdrop
Add a call to RAND_poll() to ensure than more than pid+time gets
stirred into child processes states. Prompted by analysis from Jann
Horn at Project Zero. ok dtucker@
Diffstat (limited to 'sshd.c')
| -rw-r--r-- | sshd.c | 42 |
1 files changed, 23 insertions, 19 deletions
| @@ -499,9 +499,29 @@ demote_sensitive_data(void) | |||
| 499 | } | 499 | } |
| 500 | 500 | ||
| 501 | static void | 501 | static void |
| 502 | privsep_preauth_child(void) | 502 | reseed_prngs(void) |
| 503 | { | 503 | { |
| 504 | u_int32_t rnd[256]; | 504 | u_int32_t rnd[256]; |
| 505 | |||
| 506 | #ifdef WITH_OPENSSL | ||
| 507 | RAND_poll(); | ||
| 508 | #endif | ||
| 509 | arc4random_stir(); /* noop on recent arc4random() implementations */ | ||
| 510 | arc4random_buf(rnd, sizeof(rnd)); /* let arc4random notice PID change */ | ||
| 511 | |||
| 512 | #ifdef WITH_OPENSSL | ||
| 513 | RAND_seed(rnd, sizeof(rnd)); | ||
| 514 | /* give libcrypto a chance to notice the PID change */ | ||
| 515 | if ((RAND_bytes((u_char *)rnd, 1)) != 1) | ||
| 516 | fatal("%s: RAND_bytes failed", __func__); | ||
| 517 | #endif | ||
| 518 | |||
| 519 | explicit_bzero(rnd, sizeof(rnd)); | ||
| 520 | } | ||
| 521 | |||
| 522 | static void | ||
| 523 | privsep_preauth_child(void) | ||
| 524 | { | ||
| 505 | gid_t gidset[1]; | 525 | gid_t gidset[1]; |
| 506 | 526 | ||
| 507 | /* Enable challenge-response authentication for privilege separation */ | 527 | /* Enable challenge-response authentication for privilege separation */ |
| @@ -513,14 +533,7 @@ privsep_preauth_child(void) | |||
| 513 | ssh_gssapi_prepare_supported_oids(); | 533 | ssh_gssapi_prepare_supported_oids(); |
| 514 | #endif | 534 | #endif |
| 515 | 535 | ||
| 516 | arc4random_stir(); | 536 | reseed_prngs(); |
| 517 | arc4random_buf(rnd, sizeof(rnd)); | ||
| 518 | #ifdef WITH_OPENSSL | ||
| 519 | RAND_seed(rnd, sizeof(rnd)); | ||
| 520 | if ((RAND_bytes((u_char *)rnd, 1)) != 1) | ||
| 521 | fatal("%s: RAND_bytes failed", __func__); | ||
| 522 | #endif | ||
| 523 | explicit_bzero(rnd, sizeof(rnd)); | ||
| 524 | 537 | ||
| 525 | /* Demote the private keys to public keys. */ | 538 | /* Demote the private keys to public keys. */ |
| 526 | demote_sensitive_data(); | 539 | demote_sensitive_data(); |
| @@ -616,8 +629,6 @@ privsep_preauth(Authctxt *authctxt) | |||
| 616 | static void | 629 | static void |
| 617 | privsep_postauth(Authctxt *authctxt) | 630 | privsep_postauth(Authctxt *authctxt) |
| 618 | { | 631 | { |
| 619 | u_int32_t rnd[256]; | ||
| 620 | |||
| 621 | #ifdef DISABLE_FD_PASSING | 632 | #ifdef DISABLE_FD_PASSING |
| 622 | if (1) { | 633 | if (1) { |
| 623 | #else | 634 | #else |
| @@ -651,14 +662,7 @@ privsep_postauth(Authctxt *authctxt) | |||
| 651 | /* Demote the private keys to public keys. */ | 662 | /* Demote the private keys to public keys. */ |
| 652 | demote_sensitive_data(); | 663 | demote_sensitive_data(); |
| 653 | 664 | ||
| 654 | arc4random_stir(); | 665 | reseed_prngs(); |
| 655 | arc4random_buf(rnd, sizeof(rnd)); | ||
| 656 | #ifdef WITH_OPENSSL | ||
| 657 | RAND_seed(rnd, sizeof(rnd)); | ||
| 658 | if ((RAND_bytes((u_char *)rnd, 1)) != 1) | ||
| 659 | fatal("%s: RAND_bytes failed", __func__); | ||
| 660 | #endif | ||
| 661 | explicit_bzero(rnd, sizeof(rnd)); | ||
| 662 | 666 | ||
| 663 | /* Drop privileges */ | 667 | /* Drop privileges */ |
| 664 | do_setusercontext(authctxt->pw); | 668 | do_setusercontext(authctxt->pw); |